.foreach /ps 6 (place {!address -o:1 /f:MEM_COMMIT}) { .foreach /pS a /ps 100 (size {!address place }) { .echo place size; .writemem c:\dir2export\prefix${place} place L?${size}; } }
How to use:
- change "c:\dir4data" to your directory name;
- change "prefix" to the appropriate file prefix or remove it at all;
Do not forget that Windbg doesn't understand multi-line scripts and !address extension works differently in the kernel-mode environment.
UPD. For some strange reason Windbg randomly shows can't access the memory error, but the next run of script completes successfully.
UPD2. Also the script is useful for full memory search:
// 8 bytes
.foreach /ps 6 (place {!address -o:1 /f:MEM_COMMIT}) { .foreach /pS a /ps 100 (size {!address place }) { s -q ${place} L?${size}/8put-variable-here; } }
// 4 bytes
.foreach /ps 6 (place {!address -o:1 /f:MEM_COMMIT}) { .foreach /pS a /ps 100 (size {!address place }) { s -d ${place} L?${size}/4put-variable-here; } }
etc
No comments:
Post a Comment